Merge pull request #1328 from contentstack/fix/CS-43472

fix: semgrep reported issues
contentstack · Mar 5, 2024 · 3b3ee39 · 3b3ee39
2 parents 587268f + 83d6625
commit 3b3ee39
Show file tree

Hide file tree

Showing 6 changed files with 21 additions and 10 deletions.
diff --git a/packages/contentstack-audit/src/messages/index.ts b/packages/contentstack-audit/src/messages/index.ts
@@ -1,4 +1,5 @@
 import memoize from 'lodash/memoize';
+import { escapeRegExp } from '@contentstack/cli-utilities';
 
 const errors = {};
 
@@ -65,8 +66,8 @@ function $t(msg: string, args: Record<string, string>): string {
     if (!msg) return '';
 
     for (const key of Object.keys(args)) {
-      const escapedKey = key.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
-      msg = msg.replace(new RegExp(`{${escapedKey}}`, 'g'), args[key] || escapedKey);
+      const escapedKey = escapeRegExp(key);
+      msg = msg.replace(new RegExp(`{${escapedKey}}`, 'g'), escapeRegExp(args[key]) || escapedKey);
     }
 
     return msg;

diff --git a/packages/contentstack-bulk-publish/src/consumer/publish.js b/packages/contentstack-bulk-publish/src/consumer/publish.js
@@ -43,7 +43,6 @@ async function publishEntry(data, _config, queue) {
     .publish({
       publishDetails: { environments: entryObj.environments, locales: lang },
       locale: entryObj.locale || 'en-us',
-      version: entryObj.version
     })
     .then((publishEntryResponse) => {
       if (!publishEntryResponse.error_message) {
@@ -246,9 +245,10 @@ async function performBulkPublish(data, _config, queue) {
         .publish(payload)
         .then((bulkPublishEntriesResponse) => {
           if (!bulkPublishEntriesResponse.error_message) {
+            const sanitizedData = JSON.stringify(removePublishDetails(bulkPublishObj.entries));
             console.log(
               chalk.green(
-                `Bulk entries sent for publish ${JSON.stringify(removePublishDetails(bulkPublishObj.entries))}`,
+                `Bulk entries sent for publish ${sanitizedData}`,
               ),
               (bulkPublishEntriesResponse.job_id) ? chalk.yellow(`job_id: ${bulkPublishEntriesResponse.job_id}`) : ''
             );

diff --git a/packages/contentstack-import/src/utils/asset-helper.ts b/packages/contentstack-import/src/utils/asset-helper.ts
@@ -1,7 +1,7 @@
 import Bluebird from 'bluebird';
 import * as url from 'url';
 import * as path from 'path';
-import { ContentstackClient, managementSDKClient } from '@contentstack/cli-utilities';
+import { ContentstackClient, managementSDKClient, escapeRegExp } from '@contentstack/cli-utilities';
 import { ImportConfig } from '../types';
 const debug = require('debug')('util:requests');
 let _ = require('lodash');
@@ -249,8 +249,9 @@ export const lookupAssets = function (
   assetUrls.forEach(function (assetUrl: any) {
     let mappedAssetUrl = mappedAssetUrls[assetUrl];
     if (typeof mappedAssetUrl !== 'undefined') {
-      const escapedAssetUrl = assetUrl.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
-      entry = entry.replace(new RegExp(escapedAssetUrl, 'img'), mappedAssetUrl);
+      const sanitizedUrl = escapeRegExp(assetUrl);
+      const escapedMappedUrl = escapeRegExp(mappedAssetUrl);
+      entry = entry.replace(new RegExp(sanitizedUrl, 'img'), escapedMappedUrl);
       matchedUrls.push(mappedAssetUrl);
     } else {
       unmatchedUrls.push(assetUrl);

diff --git a/packages/contentstack-import/src/utils/common-helper.ts b/packages/contentstack-import/src/utils/common-helper.ts
@@ -151,7 +151,11 @@ export const field_rules_update = (importConfig: ImportConfig, ctPath: string) =
                   management_token: importConfig.management_token,
                 });
                 let ctObj = stackAPIClient.contentType(schema.uid);
-                Object.assign(ctObj, _.cloneDeep(schema));
+                //NOTE:- Remove this code Object.assign(ctObj, _.cloneDeep(schema)); -> security vulnerabilities due to mass assignment
+                const schemaKeys = Object.keys(schema);
+                for (const key of schemaKeys) {
+                  ctObj[key] = _.cloneDeep(schema[key]);
+                }
                 ctObj
                   .update()
                   .then(() => {

diff --git a/packages/contentstack-import/src/utils/entries-helper.ts b/packages/contentstack-import/src/utils/entries-helper.ts
@@ -7,6 +7,7 @@ import * as path from 'path';
 import * as _ from 'lodash';
 import config from '../config';
 import * as fileHelper from './file-helper';
+import { escapeRegExp } from '@contentstack/cli-utilities';
 
 import { EntryJsonRTEFieldDataType } from '../types/entries';
 
@@ -199,8 +200,9 @@ export const lookupEntries = function (
   let entry = JSON.stringify(data.entry);
   uids.forEach(function (uid: any) {
     if (mappedUids.hasOwnProperty(uid)) {
-      const escapedUid = uid.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
-      entry = entry.replace(new RegExp(escapedUid, 'img'), mappedUids[uid]);
+      const sanitizedUid = escapeRegExp(uid);
+      const escapedMappedUid = escapeRegExp(mappedUids[uid]);
+      entry = entry.replace(new RegExp(sanitizedUid, 'img'), escapedMappedUid);
       mapped.push(uid);
     } else {
       unmapped.push(uid);

diff --git a/packages/contentstack-utilities/src/helpers.ts b/packages/contentstack-utilities/src/helpers.ts
@@ -36,3 +36,6 @@ export const createDeveloperHubUrl = (developerHubBaseUrl: string): string => {
     : developerHubBaseUrl;
   return developerHubBaseUrl.startsWith('http') ? developerHubBaseUrl : `https://${developerHubBaseUrl}`;
 };
+
+// To escape special characters in a string
+export const escapeRegExp = (str: string) => str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');